Threat modeling and DevOps: 3 lessons from the front lines

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Technology Journalist, Independent

It's a common scenario: Someone in the C-suite decides on a new strategy. But after threat modeling is conducted, it turns out that it might not be such a great idea from a security perspective.

A real-world example comes from Irene Michlin, a DevOps trainer and principal security consultant at NCC Group. The bank's executives decided that the next iteration of its customer-facing application should get rid of a hardware token in favor of text messaging for two-factor authentication.

Yet an analysis of the feature request, which took place as part of a one-hour exercise designed to teach developers and operations teams how to conduct threat modeling, quickly pinpointed the weaknesses of using text messaging as a second factor, Michlin said. She presented on the topic at DevSecCon in London in October.

Attackers have already found ways to gain one-time passwords sent through the short-message service (SMS), which is often used to enhance account security. But companies don't always consider those issues when deciding on new features, she said.

"People came up with exactly the threats in SMS insecurity that became headlines a few months later. This is the strength of threat modeling: People with one hour of training can go and find the threats that impact applications and big businesses."
Irene Michlin

Threat modeling is often done as part of the design or security assessment phase, and decided upon before the start of development. Increasingly, security experts are calling for security to be better integrated into the development pipeline.

Here are three lessons from DevOps experts who have incorporated threat modeling into their software pipelines.

Application Security Research Update: The State of App Sec in 2018

1. Start now—don't wait

While many development teams resist embarking on a threat modeling effort, there's no need to delay. As with many aspects of DevOps, starting quickly and integrating often are the keys to success, said NCC's Michlin. Threat modeling can be done in a half-day session, and it will give both developers and operations teams more insight into the project.

"People tend to say, 'My particular project is a mess,'" she said. But rather than wait for the right time, you should get past your fears and start threat modeling with your current solution.

"Sometimes people have a perception that threat modeling is very time-consuming, and so you can only afford it in a waterfall-type design cycle. But for DevOps, you can start right away. You don't need to wait for the start of the project. You can start applying it in sprint 12 out of a 50-sprint project."
—Irene Michlin

2. Don't forget the business risk

While DevOps aims to bring developers and operations specialists together to create a single pipeline, from software creation to deployment, you also need to cosider the business risks. Threat modeling is invaluable for ensuring that a service or software has high availability and complies with all relevant regulations, said Altaz Valani, director of research for application-security firm Security Compass.

"Make sure whichever threat modeling you decide on is focused on business value. The value of threat modeling as an activity is limited."
Altaz Valani

The most successful efforts at incorporating threat modeling into DevOps come from the top down, he said. The problem with grassroots efforts is that the team may have to fight for budget and other resources to do threat modeling effectively, Valani said. "At least until they get hit, and then suddenly it gets important."

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

3. Close the gap

While DevOps teams work to integrate application development and deployment efforts, operations teams often worry that they lack insight into what developers are doing and how their software is changing, according to the NCC Group's Michlin.

Threat modeling can help, because for it to be done correctly, both teams need to sit down—along with business executives—to discuss risks.

"Threat modeling, because you do it by bringing the whole team together at the beginning of each iteration—helps to solve the problems. The people who are responsible for operations will gain visibility into the development."
—Irene Michlin

It's worth a go

In the context of DevOps, threat modeling is not necessarily going to catch all threats, but it's always a worthwhile exercise, Michlin said.

New York's Cyber Command (NYC3), for example, used threat modeling to uncover new attack strategies. This resulted in defenders blocking more than 500 intrusion attempts, catching five attempts to hijack privileged user accounts, and uncovering three major vulnerabilities.

"In threat modeling you never get the answer; you get an answer. It is not an exact science, but as long as the team has run through the process, they get useful answers."
—Irene Michlin

Topics: Security